i am a little bit confused at the moment. I’m trying to build a database and cookie-based login system.
After i experimented a bit and read http://www.yiiframework.com/forum/index.php?/topic/11858-security-implications-with-cwebuser/ i started to build a system like this:
Use two cookies:
First with encrypted username/userId
Second with an information hash which is unique for this user
On autoLogin, the username from cookie one is decrypted, and the user information is fetched from database
From the user info a hash is build, which is compared to the hash from cookie two.
If the hashes are equal, the user is logged in.
Now, as i understood the CWebUser/CUserIdentity concept on login, all information stored as "states" in user identity will be stored in the cookie.
So i tried to see which states are set by default, by using $identity->getPersistentStates(), which returns an empty array.
But when i login the user, all data from my user identity is stored in plain text in the cookie. So i think i don’t get the concept here?!
How can i control what is stored in the cookie on login?
In my scenario, would this only be the encrypted username?
How would i integrate the second cookie?
I appreciate every hint.
Thanks in advance, best regards,